by Damon Hacker, MBA, CISA, CSXF, CMMC-RP
President & CEO, Vestige Digital Investigations
Cybersecurity Compliance Expert
A: CMMC v2.0 (announced Nov 4, 2021) is presently going through the Federal Rulemaking process. Historically speaking, this process generally runs 9-24 months. Even if it takes the full 24 months, CMMC would be in-place by end of 2023 (2 years earlier than the original CMMC v1) – But, it’s not going to take 24 months. While Vestige has kept a watchful eye on the Rulemaking Process, we anticipated the Interim Final Rule to be issued mid-2023. Recently (July and August 2023), the DoD and CyberAB provided updates on the progress of the Rulemaking process and anticipate that an Interim Final Ruling on CMMC will occur somewhere between March 2023 and June 2023 – meaning that we will start seeing CMMC contracts beginning Spring/Summer 2023. If you’re not well on your way through your CMMC Journey, now is the time to talk to Vestige’s CMMC Experts!
A: There are a lot of software companies in the “compliance” market and at the first signs of the CMMC, many have raced to adopt prior solutions to fit the CMMC. As a result, I suspect that there probably is something like this out there. Having said that, I’ve reviewed quite a few of these solutions and I have not found any that I felt were simple (layman’s approach), straight-forward and affordable, As these compliance solutions tend to be all encompassing, they generally include a wide range of features that overly complicate the process. I encourage you to keep an eye on developments on this front from us. We are actually in the process of trying to do just that. It is a balancing act and my hope is that we can achieve it in such a way as to keep it as simple as possible.
A: Absolutely. Having been in this area for 20 years, we have amassed a ton of experience and as such have put together turnkey solutions on the assessment, remediation and even assisting during the actual C3PAO external audit. Happy to have a scoping call and provide a proposal on that front.
A: This is a really tricky one. You’re right! Unless you are a new provider to the DoD, yes, you would have already needed to be in compliance with NIST 800-171 (DFARS 252.204-7012). As entities have had to be compliant with NIST 800-171 since its introduction and adoption in late 2016/early 2017. It is also true that NIST 800-171 is more stringent than Maturity Level 1 of CMMC 2.0. If the eventual answer is that you need to be at Maturity Level 1, why do you care about NIST 800-171?
There’s two reasons. One is staying in compliance with DFARS (specifically, the “Interim Rule” that went into effect on 11/30/2020). The other reason is much more selfish for you as an organization. It’s just good business! I’ve been in Cybersecurity for going on 21 years. I often get asked “what has changed over the years – what are you recommending?” The sad response is “not much. The same things that worked 20+ years ago are foundationally the same issues we’re facing today. Yes, the tactics have gotten better, there’s more awareness, more visibility to the problem, but the risks remain the same AND the solutions are still the same”. Sure, we have newer technologies, have built Artificial Intelligence into products, have more options available to us…but at the end of the day it’s all about understanding your risk and putting the right cyber hygiene practices into place.
CMMC defines Maturity Level 1 practices as “Basic Cybersecurity”. Even at Maturity Level 2, it’s defined as “Good Cybersecurity”. Good. Not great! But good. If you care about ensuring that your own proprietary intellectual property doesn’t go out the door; if you care about ensuring you don’t fall victim to a financial fraud by erroneously wiring 10s, 100s of thousands of dollars or even more out-the-door; if you don’t want to experience plant shut-downs, inability to communicate with customers and suppliers because the organization has suffered a ransomware attack – or if you care about any of the other myriad problems linked to poor (or even “basic”) cyber hygiene, then it’s time to put the controls in place that NIST 800-171 and/or CMMC 2.0 Level 2 dictate. If you’re only required to be at Maturity Level 1, great, CERTIFY to Level 1 – but don’t delay in putting the controls in at Level 2!
–mic drop—
(Oh, and if you really don’t care about achieving Level 2 but are in this situation, CONTACT VESTIGE to discuss a strategy, because there is a way to address this.)
A: The short answer is “it depends”. The longer answer is “yes, but there are some caveats”. The narrowing of the CUI environment can be a good strategy as it makes the reach of many of the controls much smaller, however, it has to be consistent with where FCI and/or CUI flow and/or are accessed, stored, etc. In essence, you can’t simply limit the scope because you want to — the system must be designed in such a way as to ensure that FCI and CUI have been isolated. One caveat I’ll pass along based upon years of experience — sometimes limiting the scope of the (CUI) environment to “get away” from having to comply across-the-board, can actually backfire. The reasoning being that when the controls are applied across-the-board, individuals don’t have to rely upon judgment as to whether a process/practice needs to be employed — instead, it is just ALWAYS applied. As a result, it tends not to get overlooked. Additionally, when the scope is wider, there are more opportunities to address and follow the processes/practices. This leads to better “muscle memory” and therfore adherence. If you expand the environment to the entire enterprise and that results in performing a process/practice on a weekly basis, you’ll be much better at it than if limiting it to a very small subsection of only CUI such that you only ever see the need to engage that process/practice once a year, you run the risk that the opportunity to apply such process/practice is overlooked. The best answer, however, is to contact us and let’s have a discussion surrounding your specific situation and then an educated decision can be made about the appropriate scope.
A: I want to flip your thinking around a bit on this. The most direct answer is yes…but it’s not the relationship with the prime that is the driving force; rather, it’s about what kind of information the subcontractor(s) will have access to and the methodology for doing so. In its simplest form, however, the answer is the contract will call for a specific maturity level and all entities working on that will need to maintain a maturity level at the required level or higher. So, say for instance a DoD contract requires maturity level 2 (ML2) — the prime, who holds a maturity level 3 (ML3) certification can clearly be awarded the contract and can receive Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). A subcontractor that holds a maturity level 2 (ML2) CMMC 2.0 certification, would also be allowed access to both FCI and CUI. Are there ways, however, for an entity that only holds a maturity level 1 (ML1) certification to work on the contract? Yes. However, it requires a range of constraints, which may or may not work in your
A: All of the cybersecurity frameworks have similarities. The differences depend upon what the overall goals of the framework are. The goal of ISO27001 is built around the fact that an organization that defines and follows a sound Information Security Management System, will, by definition have a well-controlled environment. A well-controlled environment translates into an organization that is generally more secure. That’s not too far off from the goal of CMMC. In fact, when you dissect the DoD’s goals for the program, understand the framework at its foundation and learn about the goals promulgated through the CMMC Accreditation Body, you will see that CMMC is, in fact, about creating an Information Security Management System that is imbued within the culture of the OSC (Organization Seeking Certification). As such, ISO 27001 and CMMC are pretty well aligned.
Having said that, if you were to place all of the varying frameworks onto a continuum with those programs that offer weaker coverage on the left-hand side of the continuum and place those programs that offer robust coverage over to the right-hand side, you would find that CMMC is much closer to the right-hand side (robust coverage) than ISO 27001 – therefore it could be interpreted that it is more complex, more difficult and “stronger” than ISO 27001. In fact, with NIST 800-171 being derived from NIST 800-53 (Moderate Baseline), with all 3 of those (NIST 800-171, CMMC and NIST 800-53 Moderate) considered “more robust”.
A: We encourage you to pull down the CMMC requirements and look at the controls for Maturity Level 2. You will see that a small percentage of the items relate to the physical and logical access to the devices that touch, store, process or otherwise interface with CUI. Rather, quite a bit of the control objectives relate to more of the practices and processes that the overall organization follows in each of those domains — it includes things like the organization’s practices around hiring and on-boarding individuals, how access is determined, authorized and granted, how users rights are removed upon termination, technology disposal, how you keep up on compliance issues, vulnerabilities, etc. What I’m getting at is there’s much more than just those physical devices provided by the Government and the Prime. While each individual situation differs, to me, I’d want to take a very careful look at the policies and procedures around the use of those devices and whether the processes and practices are documented, practiced and strong enough to, in fact, prove that the CUI environment only applies to those particular devices and that by their very nature the CMMC controls are not applicable. The short answer though, is in my opinion, I’m leaning to the fact that your situation does not lend itself to avoiding a maturity Level 2. Finally, recall, at the end of the day it all depends on the requirement of the contract itself. If the contract has portions that require Maturity Level 2 — then all parties (prime(s) and subcontractor(s)) that need access to that information will need to be at a Level 2 or higher.
A: Yes and no. The standard and framework itself apply equally to any provider within the Defense Supply Chain. However, you should note that some categories/subcategories of CUI (typically things like Export Control, nuclear, weapons systems and space) may carry with it additional safeguarding requirements similar or in addition to ITAR (International Traffic in Arms Regulation). Therefore, there may be additional restrictions especially as it relates to No Foreign National (NOFORN).
A: You are right to be concerned about the supply chain under you…as DFARS 252.204-7021 squarely puts that responsibility on all entities that use subcontractors by ensuring that those that you work with also have the appropriate CMMC levels and/or finding alternative ways to work with that subcontractor (i.e. without sharing CUI and even in some situations FCI if the subcontractor doesn’t even meet CMMC Maturity Level 1). Be aware that CMMC covers more than just CUI. It handles the broader scope of information known as Federal Contract Information (FCI).
Your broader question about defining CUI is a bit more complicated to answer. The National Archives and Records Administration (NARA) is the entity responsible for defining, categorizing and maintaining the CUI Registry (available at www.archives.gov/cui). While CUI is supposed to be marked by any entity that receives and uses it, the reality is that each of us know that from time-to-time we are in receipt of information that is probably CUI, but yet, is unmarked. Did you realize that it’s still your responsibility that even if it is unmarked, but fits the definition of CUI, that you have a responsibility for treating it as such? See 32 CFR Part 2002, specifically 2002.14(b), 2002.14(c), 2002.20(7)
A: I do. Ironically, I already believe that the private sector does a better job of protecting CUI than the government. I believe that as a result of CMMC, those of us in the private sector will continue to push and hold the agencies that are contracting with us to a higher standard. This in turn will result in better marking and closer attention to CUI within the government.
A: “I attended a briefing by NAVFAC SW CO recently and if I understood him correctly, he indicated the CMMC Certification would not be required until 2025. If I understand your response correctly we should not wait until then.”
A: With the introduction of CMMC 2.0, we are now in the Rulemaking Process. That Rulemaking is expected to take approximately 9-24 months. At the conclusion of that Rulemaking, all DoD contracts will be CMMC
A: Firstly, this question only referred to CMMC v 1.0. We are now at version 2.0 and the timeline on this has dramatically changed (see When will we see CMMC requirements in DoD RFPs, above). There is a lot of misinterpretation and misinformation out there about the timing and you need to consider your compliance journey around a number of factors. To address the facts, yes, it is true that it is not anticipated that ALL DoD contracts will have a CMMC designation until Rulemaking is complete (2022-2024). The problem is that when people see or hear that, they jump to the conclusion that CMMC is not yet here and that they don’t need to worry about it for several years. Not true.
There are two important issues to consider. The first is timing on the actual certification process. The second is compliance with NIST 800-171 and the “interim rule”.
Addressing the certification process; you should anticipate that the road to certification is a minimum of 6 months and it may be longer in your particular case. The CMMC Accreditation Body (CMMC-AB) is already advising Organizations Seeking Certification (OSCs) that it will take 6 months. And that’s based upon the assumption that an OSC is ready-to-go, right now! No gaps in performance, etc.
Our experience, both with CMMC/NIST 800-171 and other similar frameworks, is that organizations that are not in that ready-to-go state, should factor in an additional 3-6 months.
Next, you need to consider the impact of the “interim rule”. In September 2020, DFARS Case 2019-D041 was released effectuating additions to DFARS that went into effect on November 30, 2020. DFARS 252.204-7019, 252.204-7020 and 252.204-7021 were added to adopt CMMC, clarify some misinterpretations and to add a stop-gap requirement that ALL DoD contracts not bearing a CMMC designation require the organization to be in compliance with NIST 800-171, submit their self-assessment score into the Supplier Performance Risk System (SPRS) and directs Procurement Officers to consult such score and use it as part of the criteria in awarding ANY DoD contract (again, non-CMMC designated ones).
What’s the practical implication? Most OSCs are: a) not ready-to-go with CMMC, b) are presently bidding and looking to be awarded DoD contracts, and c) don’t know when the Rulemaking will be completed and therefore not sure when contracts will come out with the CMMC requirement. Knowing that the organization could see a CMMC designated contract as early as 2022, combined with a lack of readiness, juxtaposed against the reality of 9-12 months to achieve certification – and it could already be too late to get started. The time to act is now!
A: This is a really hard one to answer and predict without knowing a lot more about the existing control environment, the type of contracts and types of FCI/CUI that may be in-use as well as the desired/required Maturity Level. There are other considerations as well, such as is the environment inclusive of the entire IT environment or is this a situation where an enclave can be created to isolate the environment and only look at the minimum environment. (Note: this may be a strategy for simplifying the environment, but it is not a one-size fits all approach. There are some important caveats to consider with this approach).
More importantly, I think a lot of vendors, so-called solution providers, and industry evangelists don’t fully grasp the spirit, let alone the entirety, of the CMMC. Too often, these well-meaning entities are peddling a very specific “technological” solution. While it may sound great and promise a lot, these solutions need to be evaluated to ensure that they adequately cover both the requirements as well as the manner in which your organization operates. If you take a close look at the actual requirements of the CMMC, only about 50% of the requirements are what we would deem as a “technological” solution. 25% is policy/administrative and the remaining 25% is operational. If you subscribe to the idea that you must put in new upgrades, physical office changes and new technology, you may still only be addressing a part of what’s needed. Further, while it is true that technology does have a useful life and a “sunset” product no longer qualifies (therefore requiring purchase of new software and potentially hardware), the truth of the matter is that a significant portion of complying with the standard merely requires re-configuring settings that already exist, tightening down controls that already are available but just not used – in short, it may not require ANY new purchases. But again, that may not be the case in your environment.
A: That’s a great question and I haven’t seen any guidance on it. Part of that is based upon the fact that the decision on Allowable Expenses under the contract came relatively recently and without much guidance, except to say that the DOD is under the firm belief that most of what falls under CMMC should have already been handled as part of the organization’s adherence to NIST 800-171. Setting that aside, my personal feeling would be that while you might be able to squeeze it in under the initial “getting compliant” charge — as evidence gathering would be an on-going task, I don’t see how you’d be able to accommodate that long-term under the Allowable Expense designation. Further, in my opinion and the strategy we always take, is to systematize the creation/collection of evidence in such a way that there really is no burden in collecting and therefore producing it to the assessor (C3PAO).
A: Unfortunately, on this one I can’t say that I have a very good insight into those particular countries and the understanding therein. However, I can make an educated guess about it. And that guess is that similar to what you’ve found, it’s a very immature understanding. I feel confident with that answer because I would say that, as a whole, the ENTIRE Defense Supply Chain (and I’m mostly focusing on domestic entities) isn’t aware of the requirements. Let’s face it, a huge majority of firms have quite readily ignored and/or have remained (blissfully) ignorant on NIST 800-171 requirements and that has been around in earnest since 2016!
A: I’m going to dissect that question a bit and put it into two categories. You ask about the lead time in reaching out to a C3PAO. In its simplest answer, the lead time is zero…you can reach out and get it scheduled right now. There are C3PAOs already approved and in the marketplace. As of this writing (November 2021), only a couple of the C3PAOs that have applied, have been approved (Vestige included). [This is more of a matter of the logistics than anything else.] So, if you’re ready, you can reach out right now. (https://cmmcab.org/marketplace/)
But I suspect you’re asking a slightly different question. My interpretation of that is that you’re more interested in understanding how long is it going to take until the C3PAO is engaged, on-site, has conducted their work and at a place where they’ve issued their report/findings. The CMMC Accreditation Body (CMMC-AB) is already advising Organizations Seeking Certification (OSC) to expect the process to be about 6 months. Interpreting that a little deeper, I think you can expect it to take 1-2 months to be engaged and actually have the C3PAO on-site, another month (bringing it to 3 months) for the findings. Add in the available 90-day “cure period” should the C3PAO find any “correctable” deficiencies, and that puts you right at 6 months.
Now that, of course, is assuming you’re ready to go right now. If you’re not, you need to factor that into your lead time as well. That could easily be another 3-6 months depending on the Maturity Level as well as the complexity and overall state of affairs within your environment.
A: How big is a hole? How much does it cost to build a house? I say that a bit tongue-in-cheek, but the reality is that it depends on a number of factors. Here’s what you can assume: the Maturity Level will absolutely play into that calculation.
Level 1 only requires 17 practices; Level 2 has 110 practices; and Level 3 builds on that. Taken at face value, it is approximately 8.5 times more effort to address Level 2 than Level 1 and Level 3 is a bit higher. The complexity of the environment and the manner in which it is scoped will contribute to the cost.
The Organization Seeking Certification’s (OSC) readiness, preparedness and ability to quickly and efficiently provide evidence and meet the requests of the C3PAO will also greatly impact the overall cost as most C3PAO’s will likely charge on a Time & Material (T&M) basis. However, it is my belief that the number one factor in determining that cost will be market competition. The CMMC Accreditation Body (CMMC-AB) has created a Marketplace for those of us in the CMMC ecosystem (RPOs, C3PAOs, RPs, APs, etc.). Just like in any industry there will be C3PAO’s that will focus on the biggest of the big engagements, there will be those that focus on mid-market and those on the smaller market. There will be C3PAOs that tout quality, those that carry “well recognized brand name” and the reputation (good and bad) that comes with that.
The same factors that make this a difficult question to answer, however, work in your favor as an OSC. The fact that a marketplace exists and that the CMMC-AB has made that front and center of the part of picking a C3PAO gives you the ability to shop for the perfect fit. Whether you’re shopping on price, quality, ease of use, convenience, adherence to a proven methodology, or you simply like the sound of the name of a C3PAO (I wouldn’t recommend this method any more than I’d recommend consulting a Magic 8 Ball), you will find a C3PAO that will match your criteria.
My recommendation? Look at all of your options and go with the one that meets your requirement!
A: At the end of the day it is at the discretion of the C3PAO. Remember, it’s all about the risk tolerance of the auditor/C3PAO. If they feel that a deficiency is minor and doesn’t adversely impact the general adherence to the control, my experience tends to lean in the direction that the C3PAO would waive that. It’s quite possible they would issue a “verbal” comment about it so that you were aware of the deficiency, but not count it against you. HOWEVER, keep in mind that if there are enough “minor” deficiencies, the C3PAO may start to question whether the control environment really is in-place and working as designed. In those situations, I could see where they would take the approach of “a proponderence of evidence” points to the fact that all these minor deficiencies rise to the level of a material deficiency. It also needs to be weighed in the context that a control is either in-place and working or it is not. The C3PAO is going to be looking for evidence that the control is working as designed by corroborating evidence from at least 2 out of 3 forms of objective evidence: a) an interview, b) direct observation and/or c) testing. In my opinion, a minor deficiency might be something like you have evidence of monthly reviews of logs and during the interview you say you do it monthly, testing by the C3PAO shows that 11 out of 12 months you have evidence but for 1 month you seem not to be able to produce such evidence. Would the C3PAO accept that it’s an isolated exception? As you can see, it’s at the discretion of the C3PAO — but hopefully that sheds light on it.
We hope this CMMC Readiness Q&A page proves helpful. If you have additional questions, feel free to CONTACT US. We’re happy to help.
